Guard wireless network from mobile payment threats

The modes of payment evolve as rapidly as the products and services consumers pay for. Case in point: mobile payments, the combination of payment cards and wireless technology that facilitates monetary transactions. Mobile payments can reduce transaction costs for buyers and sellers, and reduce the costs of circulating a cash supply – hence the growing popularity. However, this new payment technology presents many security challenges that must be addressed by merchants to keep customer data safe.

It's not just goodwill driving security initiatives for payment technology, compliance with the Payment Card Industry's Data Security Standards (PCI DSS) mandates that organisation protect consumers. PCI DSS applies to any organisation that stores, processes, or transmits cardholder data, and consists of a minimum set of security requirements and testing procedures designed to encourage and enhance cardholder data security.

Merchants in violation of PCI DSS can face hefty fines from payment brands (e.g., American Express, MasterCard, and VISA) and even lose the ability to process payment cards for goods and services. Additionally, if a consumer does make a purchase via mobile payment and their information is compromised (i.e., cardholder data), the merchant may be liable (especially if they do not proactively comply with standards).

Further, if adequate safeguards are not followed to meet PCI standards, consumers may perceive that payment card information is at risk and choose not to use a merchant's infrastructure. If people lose faith in the security of a payment system, they will stop using it and the system will eventually become useless. Merchants accepting payment cards need to comply with the PCI DSS to ensure they have implemented proper safeguards to protect cardholder data and secured their points-of-sale from attackers and intruders that put customer data at risk.

Today, there are three main types of threats that attackers use to capture and exploit mobile payment cardholder data. Fortunately, with a strong wireless intrusion prevention system (WIPS), merchants can detect and combat these threats and keep themselves and customers safe. Here are the top 3 most frequent and dangerous attacks and what merchants can do to protect their wireless LAN (WLAN).

DoS attacks on WLANsDenial of Service (DoS) attacks flood data networks with malicious data that can infect mobile devices with malware that may destroy, modify, or compromise cardholder data. DoS attacks are designed to disrupt wireless services by exploiting vulnerabilities in wireless connections at the physical and data-link layers. For example, RF jamming devices with powerful antennas can disrupt a mobile payment system from inside or outside the boundaries of a store.

Wi-Fi Point of Sale Terminals (POSTs), whether they are smartphones or vending machines, are susceptible to DoS attacks because the RF communication that sets up and maintains network and device connections can be spoofed – it has no encryption mechanism. Wireless attackers disrupt services to mobile devices by continually transmitting disassociation or de-authentication notices to phones that appear to be from legitimate access points. In effect, the phone will try to re-establish services, or re-authenticate, only to get immediately disconnected, over and over again.

Combatting WLAN DoS attacks: Organisations can deploy wireless intrusion protection systems that monitor and detect critical intrusions that may compromise cardholder data security or disrupt wireless payment operations. These systems detect attacks by continuously monitoring the Wi-Fi communication, tracking wireless connections and associations to store access points, and analysing the RF environment for transmission sources that could disrupt communications or are from malicious devices. When attacks are identified, the WIPS will generate an alert so that IT security operations can immediately remediate the problem.

Skimming cardholder dataSkimming is the theft of credit card information from observing a legitimate payment transaction. Although there are a number of ways to "skim" credit card information, the process for POSTs is similar to ATM skimming: a thief attaches a third-party card-reading device on the outside or inside of the payment terminal to capture customer's credit card information processed during a payment transaction. Many skimming devices use Bluetooth transmitters to transfer the skimmed information to thieves on demand. Note that Bluetooth devices can communicate from a distance of one meter (class 3) to 100m (class 1).

Detecting if cardholder data is being skimmed: Like many Wi-Fi devices, Bluetooth is a networking protocol that operates in the 2.4GHz band. Although it is difficult for WIDS/WIPS to identify Bluetooth transmissions in the WLAN, its presence creates RF channel noise. By tracking the noise level for RF channels, WIDS/WIPS can identify channels with sustained, high levels of noise. Once identified, vendors can use a Wi-Fi analyser with a directional antenna to track down the source of the noise and take action.

Unauthorised devices on WLANsThieves may also set up their own Wi-Fi POST, masquerading as a vendor's POST, or even masquerade as a store clerk and offer up a point of sale on their own Wi-Fi smartphone. These devices operate as unauthorised or rouge devices on a vendor's WLAN or attempt to set up their own WLAN.

Identifying and protecting WLAN from unauthorised devices: To identify unauthorised and rouge devices, organisations need to be vigilant and monitor the wireless network for unauthorised POSTs, access points, and wireless clients. This is best accomplished with a wireless intrusion prevention system. With a WIPS, organisations can track the security status of every wireless device in the WLAN and see if there are any unauthorised or rogue devices that may put mobile payments at risk.

These systems can also generate alerts when authorised devices deviate from a security policy, e.g., to use encrypted communications. Once unauthorised devices are identified, they can be easily located and removed with location information provided by the system.

Secure mobile payment cardholder dataMobile payments are a cost-effective, convenient payment solution for both consumers and merchants. But if merchants choose to accept payments over Wi-Fi, they need to ensure PCI-DSS compliance or be subject to fines or worse. Investing in a dedicated WIPS that provides comprehensive Wi-Fi protection against the introduction of unauthorised devices and dangerous attacks, as well as spectrum analysis for detection of RF threats, will provide the necessary security to enable adoption of mobile payment technology while meeting PCI DSS requirements to ensure consumers and merchants get the most bang for their buck in mobile payment transactions.

About the authorMilind Bhise has over fifteen years of high tech and networking industry experience. Currently, he is responsible for product management and product marketing of the wireless LAN portfolio at Fluke Networks. The portfolio includes market leading WLAN deployment, design and analysis tools and AirMagnet Enterprise, a scalable WLAN security and performance monitoring solution. He has a Masters in Engineering and a MBA.